chef-vault 1.2.5 → 2.0.1.pre

data/lib/chef-vault/user.rb

@@ -15,38 +15,17 @@
 
 class ChefVault
   class User
-    attr_accessor :username
-
-    def initialize(data_bag, username, chef_config_file)
-      @username = username
-      @data_bag = data_bag
+    def initialize(vault, username)
+      @item = ChefVault::Item.load(vault, username)
+    end
 
-      if chef_config_file
-        chef = ChefVault::ChefOffline.new(chef_config_file)
-        chef.connect
-      end
+    def [](key)
+      @item[key]
     end
 
     def decrypt_password
-      # use the private client_key file to create a decryptor
-      private_key = open(Chef::Config[:client_key]).read
-      private_key = OpenSSL::PKey::RSA.new(private_key)
-
-      begin
-        keys = Chef::DataBagItem.load(@data_bag, "#{username}_keys")
-      rescue
-        throw "Could not find data bag item #{username}_keys in data bag #{@data_bag}"
-      end
-
-      unless keys[Chef::Config[:node_name]]
-        throw "Password for #{username} is not encrypted for you!  Rebuild the password data bag"
-      end
-
-      node_key = Base64.decode64(keys[Chef::Config[:node_name]])
-      shared_secret = private_key.private_decrypt(node_key)
-      cred = Chef::EncryptedDataBagItem.load(@data_bag, @username, shared_secret)
-
-      cred["password"]
+      puts "WARNING: This method is deprecated, please switch to item['value'] calls"
+      @item["password"]
     end
   end
 end

data/lib/chef-vault/version.rb

@@ -14,6 +14,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "1.2.5"
+  VERSION = "2.0.1.pre"
   MAJOR, MINOR, TINY = VERSION.split('.')
 end

data/lib/chef/knife/Decrypt.rb

@@ -0,0 +1,64 @@
+# Description: Chef-Vault Decrypt class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife'
+require 'chef-vault'
+
+class Decrypt < Chef::Knife
+  deps do
+    require 'chef/search/query'
+    require File.expand_path('../mixin/compat', __FILE__)
+    require File.expand_path('../mixin/helper', __FILE__)
+    include ChefVault::Mixin::KnifeCompat
+    include ChefVault::Mixin::Helper
+  end
+
+  banner "knife decrypt [VAULT] [ITEM] [VALUES] --mode MODE"
+
+  option :mode,
+    :short => '-M MODE',
+    :long => '--mode MODE',
+    :description => 'Chef mode to run in default - solo'  
+
+  def run
+    vault = @name_args[0]
+    item = @name_args[1]
+    values = @name_args[2]
+
+    if vault && item && values
+      set_mode(config[:mode])
+
+      print_values(vault, item, values)
+    else
+      show_usage
+    end
+  end
+
+  def show_usage
+    super
+    exit 1
+  end
+
+  def print_values(vault, item, values)
+    vault_item = ChefVault::Item.load(vault, item)
+
+    puts "#{vault}/#{item}"
+
+    values.split(",").each do |value|
+      value.strip! # remove white space
+      puts("\t#{value}: #{vault_item[value]}")
+    end
+  end    
+end

data/lib/chef/knife/encrypt_create.rb

@@ -0,0 +1,91 @@
+# Description: Chef-Vault EncryptCreate class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife'
+require 'chef-vault'
+
+class EncryptCreate < Chef::Knife
+  deps do
+    require 'chef/search/query'
+    require File.expand_path('../mixin/compat', __FILE__)
+    require File.expand_path('../mixin/helper', __FILE__)
+    include ChefVault::Mixin::KnifeCompat
+    include ChefVault::Mixin::Helper
+  end
+
+  banner "knife encrypt create [VAULT] [ITEM] [VALUES] "\
+        "--mode MODE --search SEARCH --admins ADMINS --json FILE"
+
+  option :mode,
+    :short => '-M MODE',
+    :long => '--mode MODE',
+    :description => 'Chef mode to run in default - solo'
+
+  option :search,
+    :short => '-S SEARCH',
+    :long => '--search SEARCH',
+    :description => 'Chef SOLR search for clients'
+
+  option :admins,
+    :short => '-A ADMINS',
+    :long => '--admins ADMINS',
+    :description => 'Chef users to be added as admins'
+
+  option :json,
+    :short => '-J FILE',
+    :long => '--json FILE',
+    :description => 'File containing JSON data to encrypt'
+
+  def run
+    vault = @name_args[0]
+    item = @name_args[1]
+    values = @name_args[2]
+    search = config[:search]
+    admins = config[:admins]
+    json_file = config[:json]
+
+    set_mode(config[:mode])
+
+    if vault && item && (values || json_file) && (search || admins)
+      begin
+        vault_item = ChefVault::Item.load(vault, item)
+        raise ChefVault::Exceptions::ItemAlreadyExists,
+              "#{vault_item.data_bag}/#{vault_item.id} already exists, "\
+              "use 'knife encrypt remove' and "\
+              "'knife encrypt update' to make changes."
+      rescue ChefVault::Exceptions::KeysNotFound,
+             ChefVault::Exceptions::ItemNotFound
+        vault_item = ChefVault::Item.new(vault, item)
+       
+        merge_values(values, json_file).each do |key, value|
+          vault_item[key] = value
+        end 
+
+        vault_item.clients(search) if search
+        vault_item.admins(admins) if admins
+
+        vault_item.save
+      end
+    else
+      show_usage
+    end
+  end
+
+  def show_usage
+    super
+    exit 1
+  end
+end
+  

data/lib/chef/knife/encrypt_delete.rb

@@ -0,0 +1,62 @@
+# Description: Chef-Vault EncryptDelete class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife'
+require 'chef-vault'
+
+class EncryptDelete < Chef::Knife
+  deps do
+    require 'chef/search/query'
+    require File.expand_path('../mixin/compat', __FILE__)
+    require File.expand_path('../mixin/helper', __FILE__)
+    include ChefVault::Mixin::KnifeCompat
+    include ChefVault::Mixin::Helper
+  end
+
+  banner "knife encrypt delete [VAULT] [ITEM] --mode MODE"
+
+  option :mode,
+    :short => '-M MODE',
+    :long => '--mode MODE',
+    :description => 'Chef mode to run in default - solo'
+
+  def run
+    vault = @name_args[0]
+    item = @name_args[1]
+
+    set_mode(config[:mode])
+
+    if vault && item
+      delete_object(ChefVault::Item, "#{vault}/#{item}", "chef_vault_item") do
+        begin
+          ChefVault::Item.load(vault, item).destroy
+        rescue ChefVault::Exceptions::KeysNotFound,
+               ChefVault::Exceptions::ItemNotFound
+
+               raise ChefVault::Exceptions::ItemNotFound,
+                     "#{vault}/#{item} not found."
+        end
+      end
+    else
+      show_usage
+    end
+  end
+
+  def show_usage
+    super
+    exit 1
+  end
+end
+  

data/lib/chef/knife/encrypt_remove.rb

@@ -0,0 +1,100 @@
+# Description: Chef-Vault EncryptRemove class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife'
+require 'chef-vault'
+
+class EncryptRemove < Chef::Knife
+  deps do
+    require 'chef/search/query'
+    require File.expand_path('../mixin/compat', __FILE__)
+    require File.expand_path('../mixin/helper', __FILE__)
+    include ChefVault::Mixin::KnifeCompat
+    include ChefVault::Mixin::Helper
+  end
+
+  banner "knife encrypt remove [VAULT] [ITEM] [VALUES] "\
+        "--mode MODE --search SEARCH --admins ADMINS"
+
+  option :mode,
+    :short => '-M MODE',
+    :long => '--mode MODE',
+    :description => 'Chef mode to run in default - solo'
+
+  option :search,
+    :short => '-S SEARCH',
+    :long => '--search SEARCH',
+    :description => 'Chef SOLR search for clients'
+
+  option :admins,
+    :short => '-A ADMINS',
+    :long => '--admins ADMINS',
+    :description => 'Chef users to be added as admins'
+
+  def run
+    vault = @name_args[0]
+    item = @name_args[1]
+    values = @name_args[2]
+    search = config[:search]
+    admins = config[:admins]
+    json_file = config[:json]
+
+    set_mode(config[:mode])
+
+    if vault && item && ((values || json_file) || (search || admins))
+      begin
+        vault_item = ChefVault::Item.load(vault, item)
+        remove_items = []
+
+        if values || json_file
+          begin
+            json = JSON.parse(values)
+            json.each do |key, value|
+              remove_items << key
+            end
+          rescue JSON::ParserError
+            remove_items = values.split(",")
+          rescue Exception => e
+            raise e
+          end
+
+          remove_items.each do |key|
+            key.strip!
+            vault_item.remove(key)
+          end 
+        end
+        
+        vault_item.clients(search, :delete) if search
+        vault_item.admins(admins, :delete) if admins
+
+        vault_item.save
+      rescue ChefVault::Exceptions::KeysNotFound,
+             ChefVault::Exceptions::ItemNotFound
+
+        raise ChefVault::Exceptions::ItemNotFound,
+              "#{vault}/#{item} does not exists, "\
+              "use 'knife encrypt create' to create."
+      end
+    else
+      show_usage
+    end
+  end
+
+  def show_usage
+    super
+    exit 1
+  end
+end
+  

data/lib/chef/knife/encrypt_rotate_keys.rb

@@ -0,0 +1,62 @@
+# Description: Chef-Vault EncryptRotateSecret class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife'
+require 'chef-vault'
+
+class EncryptRotateKeys < Chef::Knife
+  deps do
+    require 'chef/search/query'
+    require File.expand_path('../mixin/compat', __FILE__)
+    require File.expand_path('../mixin/helper', __FILE__)
+    include ChefVault::Mixin::KnifeCompat
+    include ChefVault::Mixin::Helper
+  end
+
+  banner "knife rotate secret [VAULT] [ITEM] --mode MODE"
+
+  option :mode,
+    :short => '-M MODE',
+    :long => '--mode MODE',
+    :description => 'Chef mode to run in default - solo'
+
+  def run
+    vault = @name_args[0]
+    item = @name_args[1]
+
+    if vault && item
+      set_mode(config[:mode])
+
+      begin
+        item = ChefVault::Item.load(vault, item)
+        item.rotate_keys!
+      rescue ChefVault::Exceptions::KeysNotFound,
+             ChefVault::Exceptions::ItemNotFound
+
+        raise ChefVault::Exceptions::ItemNotFound,
+              "#{vault}/#{item} does not exists, "\
+              "use 'knife encrypt create' to create."
+      end
+    else
+      show_usage
+    end
+  end
+
+  def show_usage
+    super
+    exit 1
+  end
+end
+  

data/lib/chef/knife/encrypt_update.rb

@@ -0,0 +1,90 @@
+# Description: Chef-Vault EncryptUpdate class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife'
+require 'chef-vault'
+
+class EncryptUpdate < Chef::Knife
+  deps do
+    require 'chef/search/query'
+    require File.expand_path('../mixin/compat', __FILE__)
+    require File.expand_path('../mixin/helper', __FILE__)
+    include ChefVault::Mixin::KnifeCompat
+    include ChefVault::Mixin::Helper
+  end
+
+  banner "knife encrypt update [VAULT] [ITEM] [VALUES] "\
+        "--mode MODE --search SEARCH --admins ADMINS --json FILE"
+
+  option :mode,
+    :short => '-M MODE',
+    :long => '--mode MODE',
+    :description => 'Chef mode to run in default - solo'
+
+  option :search,
+    :short => '-S SEARCH',
+    :long => '--search SEARCH',
+    :description => 'Chef SOLR search for clients'
+
+  option :admins,
+    :short => '-A ADMINS',
+    :long => '--admins ADMINS',
+    :description => 'Chef users to be added as admins'
+
+  option :json,
+    :short => '-J FILE',
+    :long => '--json FILE',
+    :description => 'File containing JSON data to encrypt'
+
+  def run
+    vault = @name_args[0]
+    item = @name_args[1]
+    values = @name_args[2]
+    search = config[:search]
+    admins = config[:admins]
+    json_file = config[:json]
+
+    set_mode(config[:mode])
+
+    if vault && item && ((values || json_file) || (search || admins))
+      begin
+        vault_item = ChefVault::Item.load(vault, item)
+
+        merge_values(values, json_file).each do |key, value|
+          vault_item[key] = value
+        end 
+
+        vault_item.clients(search) if search
+        vault_item.admins(admins) if admins
+
+        vault_item.save
+      rescue ChefVault::Exceptions::KeysNotFound,
+             ChefVault::Exceptions::ItemNotFound
+
+        raise ChefVault::Exceptions::ItemNotFound,
+              "#{vault}/#{item} does not exists, "\
+              "use 'knife encrypt create' to create."
+      end
+    else
+      show_usage
+    end
+  end
+
+  def show_usage
+    super
+    exit 1
+  end
+end
+